Drupal Release: 5.0-beta-1

TL;DR

Drupal 5.0-beta-1 represents a major evolution from version 4.7.11, introducing significant architectural changes and modern web development features. This release brings jQuery integration, a new theme engine (Garland), improved module management with package support, pluggable session handling, and a comprehensive status reporting system. Security has been enhanced with form tokens to prevent CSRF attacks, and the installer now supports multiple databases including PostgreSQL. While this is a beta release with substantial code changes (15,328 changes across 237 files), it lays the foundation for a more robust, flexible, and developer-friendly Drupal platform.

Highlight of the Release

• Introduction of jQuery JavaScript library into core
• New Garland theme with color customization module
• Comprehensive status report page for system health monitoring
• Module package support for better organization
• Pluggable session handling
• Enhanced security with form tokens
• Improved PostgreSQL compatibility
• Module dependency system
• Module uninstall UI

Migration Guide

Preparing for Drupal 5.0 Migration

Form API Changes

Drupal 5.0 introduces Form API 2.0 with significant changes to how forms are built and processed:

• Dynamic form IDs are no longer supported
• Form elements have new structure and properties
• Review all custom forms and form alters to ensure compatibility

Node API Changes

The node API has undergone changes that may affect custom modules:

• Node submit hooks have been modified
• NodeAPI implementation has changed
• Review all custom node hooks and implementations

Database Abstraction Layer

The database abstraction layer has been enhanced for better cross-database compatibility:

• SQL queries may need to be updated for compatibility
• Review custom SQL queries, especially if using PostgreSQL
• Table prefixing is now more consistently applied

Theme System Changes

Several changes to the theme system may affect custom themes:

• New theme functions and hooks have been added
• Some theme functions have been renamed (e.g., theme_closure() to theme('closure'))
• CSS classes and IDs have been standardized
• Review all custom themes and theme overrides

JavaScript Integration

With jQuery now in core:

• Review custom JavaScript for compatibility with jQuery
• Consider refactoring custom scripts to use jQuery
• Note that jQuery is version 1.0.2 in this release

Module Package System

Modules can now be organized into packages:

• Consider adding package information to custom modules
• Update module .info files to include package information

Session Handling

The new pluggable session handling may affect custom session management:

• Review any custom session handling code
• Consider using the new API for session customization

Module Dependencies

The new dependency system requires explicit declaration of module dependencies:

• Update custom modules to declare dependencies in .info files
• Test module enabling/disabling to ensure proper dependency handling

Upgrade Recommendations

As this is a beta release (5.0-beta-1), it is not recommended for production sites. This version represents a significant architectural change from the 4.7.x branch with many new features and API changes.

For Development and Testing:

• This release is ideal for developers who want to prepare their modules and themes for Drupal 5.0
• Site builders should use this to test site upgrades in a development environment
• Theme developers should begin adapting themes to work with the new Garland theme and CSS structure

For Production Sites:

• Continue using Drupal 4.7.x for production sites until the final 5.0 release
• Begin planning your upgrade strategy by testing on a development copy of your site
• Identify custom modules that may need updating for compatibility
• Review the migration guide to understand the scope of changes required

Preparation Steps:

1. Set up a development environment with this beta release
2. Test your existing modules and themes for compatibility
3. Begin adapting custom code to the new APIs
4. Document any issues encountered for resolution before upgrading production sites
5. Monitor for subsequent beta releases and the final 5.0 release

When the final 5.0 release is available, a more comprehensive upgrade path will be provided. This beta release is primarily for testing and preparation purposes.

Bug Fixes

PostgreSQL Compatibility

Multiple fixes for PostgreSQL compatibility issues, including:

• Fixed access checking on PostgreSQL
• Added missing title field for PostgreSQL
• Implemented greatest() function for PostgreSQL
• Fixed rand() function on PostgreSQL
• Fixed version checking with PostgreSQL
• Fixed installation with database table prefixing

Node Management

• Fixed issue with deleting content types
• Fixed problem with editing container descriptions of forums
• Fixed node validation preventing programmatic node submission
• Fixed custom node type permissions
• Fixed book outlining functionality

User Management

• Fixed multi-user deletion
• Prevented user 1 (admin) from being blocked or deleted
• Fixed profile registration fields for user admins
• Fixed anonymous comments not saving names
• Fixed username validation with null characters

Form API

• Fixed FAPI bugs related to dynamic form IDs
• Fixed previews in forms
• Fixed handling of checkboxes and radio buttons
• Added form tokens to prevent CSRF attacks

Taxonomy

• Fixed issue with editing parent terms
• Fixed category name handling with ampersands
• Fixed taxonomy term selection with multiple options

Other Fixes

• Fixed downloading attachments with IE6
• Fixed double escaping of filenames in upload module
• Fixed broken login issues
• Fixed infinite loop caused by install_goto()
• Fixed pager functionality
• Fixed SQL error in profile module
• Fixed broken links in various places
• Fixed UTF-7 exploit in drupal_set_header()

New Features

jQuery Integration

The addition of jQuery (version 1.0.2) to Drupal core marks a significant advancement in Drupal's JavaScript capabilities, providing a powerful and standardized way to implement dynamic behaviors.

Garland Theme

A new default theme called Garland has been added, featuring a clean, modern design with the innovative Color module that allows administrators to customize the color scheme without CSS knowledge.

Status Report Page

A comprehensive system status page has been added that monitors critical aspects of your Drupal installation, including PHP version, database connection, file permissions, and more.

Module Package Support

Modules can now be organized into logical packages on the module administration page, making it easier to find and manage related functionality.

Pluggable Session Handling

Session management can now be customized through a pluggable API, allowing for alternative session storage methods and improved security.

Module Dependency System

A formal dependency system for core modules has been implemented, ensuring that modules are enabled and disabled in the correct order based on their dependencies.

Module Uninstall UI

A new user interface for completely uninstalling modules has been added, allowing for cleaner removal of module data and configuration.

Aggressive Caching Strategy

New caching mechanisms have been implemented to improve performance, particularly for anonymous users and frequently accessed pages.

Security Updates

Form Token Protection

Every form now gets a token to prevent Cross-Site Request Forgery (CSRF) attacks, significantly enhancing the security of form submissions.

Anonymous Email Protection

Anonymous users can no longer send themselves a copy of messages through contact forms, preventing potential spam abuse.

PHP Code Security

Improved filtering of PHP nodes to prevent security vulnerabilities when using the PHP code input format.

Access Control Improvements

• Added proper access control to mass operations
• Fixed issue where revision log messages were visible to all users
• Improved control over who can see blocked users on profile pages

UTF-7 Exploit Prevention

Fixed a potential UTF-7 exploit in drupal_set_header() function.

HTML Title Protection

Added protection to prevent HTML in page titles, which could lead to XSS vulnerabilities.

Session Security

• Implemented support for SHA1 session IDs for stronger session security
• Fixed session handling to work around PHP session bugs
• Added pluggable session handling for custom security implementations

File Security

Added Apache .htaccess restriction for .info files to prevent direct access.

Performance Improvements

Aggressive Caching Strategy

A new aggressive caching strategy has been implemented that significantly improves performance for anonymous users and frequently accessed pages.

Bootstrap Process Optimization

Access checks have been moved up in the bootstrap process, preventing unnecessary loading of sessions when access is denied. This provides notable performance improvements when blocking crawlers.

Conditional JavaScript Loading

Drupal now avoids including drupal.js if there is no JavaScript on the page, reducing unnecessary HTTP requests and improving page load times.

Database Query Optimization

Several database queries have been optimized:

• Improved performance of user_is_blocked() by removing a redundant query
• Simplified SQL queries in various modules
• Added caching to taxonomy_get_term() to reduce database calls

Path Lookup Caching

Fixed caching for path lookups to ensure the correct data is cached, improving performance for URL alias resolution.

Session Handling

The new pluggable session handling allows for more efficient session storage methods, potentially improving performance for sites with many authenticated users.

Impact Summary

Drupal 5.0-beta-1 represents a significant evolution in the Drupal platform, introducing modern web development practices and enhancing both the developer and user experience. The integration of jQuery brings Drupal into the modern JavaScript ecosystem, while the new Garland theme with color customization improves the default user interface substantially.

For developers, this release offers numerous improvements including a revamped Form API, pluggable session handling, and a formal module dependency system. These changes provide greater flexibility and power but will require updates to custom code. The enhanced database abstraction layer improves cross-database compatibility, particularly for PostgreSQL users.

Site administrators benefit from the new status report page, improved module management with package organization, and a dedicated module uninstall UI. These features make system maintenance and troubleshooting more straightforward and efficient.

Security has been significantly enhanced with form tokens to prevent CSRF attacks, better handling of PHP code in content, and improved access controls throughout the system. Performance improvements include aggressive caching strategies and optimized bootstrap processes.

While this beta release introduces many breaking changes that will require code updates, it establishes a foundation for a more robust, secure, and developer-friendly Drupal platform. The architectural improvements in this version set the stage for Drupal's continued evolution as a leading content management framework.